Oct 23rd 2014 Offices of Arthur Cox - Presentation by Paul C Dwyer CEO of Cyber Risk International outlining a high level overview of the holistic cyber threat landscape in 2014
2. Slides and Material May NOT be Distributed In Any Format Without Written Permission
Copyright Cyber Risk International Ltd – All Rights Reserved
3. Paul C Dwyer
Paul C Dwyer is an internationally recognised information security expert with over
two decades experience and serves as President of ICTTF International Cyber
Threat Task Force and Co Chairman of the UK NCA National Crime Agency Industry
Group. A certified industry professional by the International Information Systems
Security Certification Consortium (ISC2) and the Information System Audit &
Control Association (ISACA) and selected for the IT Governance Expert Panel.
Paul is a world leading Cyber Security GRC authority. He has been an advisor to
Fortune 500 companies including law enforcement agencies, military (NATO) and
recently advised DEFCOM UK at Westminster Parliament.
He has worked and trained with organisations such as the US Secret Service,
Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by
the National Crime Faculty and is a member of the High Tech Crime Network
(HTCN).
Paul C Dwyer CEO
Cyber Risk International
7. What Are Cyber Threats?
Cybercrime
Cyber
Warfare
Cyber
Espionage
Cyber
X Adversary
8.
9. Cyber Statistics
• Cybercrime costs £27 billion a year in the UK
• £1,000 a second
• 170,000 ID’s are stolen each year – 1 every three seconds
• Theft of IP £9.2 billion
(pharmaceuticals, biotechnology, electronics, IT and chemicals)
Source: UK Cabinet Office
11. Cybercrime Economy Drivers
It’s a business with an excellent economic model.
Other reasons, you name it:
• Technology
• Internet
• Recession
• “A safe crime”
• It’s easy to get involved
• Part of Something
18. A Decade on What Have We Learnt?
• Heating/AC Contractors Credentials
• Intrusion Months Before Data Theft
• Waited for US Thanksgiving Day
• Malware KAPTOXA/BlackPOS
7 Months – Average Breach Before Detection
2/3 Cases informed by third party
21. Cyber Risks for You
• Tangible Costs
– Loss of funds
– Damage to Systems
– Regulatory Fines
– Legal Damages
– Financial Compensation
• Intangible Costs
– Loss of competitive advantage (Stolen IP)
– Loss of customer and/or partner trust
– Loss of integrity (compromised digital assets)
– Damage to reputation and brand
Quantitative vs. Qualitative
46% Reduction in Profits Following Breach
22. Bottom Line for Retailers
• Arms Race – Cat and Mouse
• Top 5 Target Groups – Continuously Attacked
• You Spend Less on Cyber Security
• Low Risk – High Reward for “Bad Guys” –
Established Market for Data Assets
• Best Data Assets On the Planet
• Compliance is NOT Security
23. Retail Factors
• Data on networked and distributed systems that are accessible to a
widening array of entry points
• Broad adoption of mobile applications
by retailers adds many other new points of vulnerability
• Complex supply chains - more access and data is given to vendors
and external partners
• Global expansion may require retailers to expand distribution of
their own information around the world
25. Some Retailers Doors!
• Point-of-sale (POS) terminals in stores
• Mobile POS access points
• Customer-facing e-commerce websites
• Links with each third-party vendor, supply-chain vendor, ecosystem partner and contractor
• Employee-facing access points — including those that may utilise employee-owned mobile devices
— and the social workplace
• Links to connected data centers via the cloud
• Links to financial institutions and payment processors
• Links to managed service providers
• Links to delivery services
• Links to all other contractors who are provided with network access
• B2B, intranet and extranet portals
• In-store wireless routers, kiosks and networks
• The expanding “Internet of Things”: IP-based printers, IP-linked surveillance cameras and similar
devices
28. Bad Guy Targets Individual (Asset)
Chooses Weapon from
underground forum
Reconnaissance Weaponisation Delivery Exploitation C2
Lateral
Movement
Exfiltration Maintenance
Gathers Intelligence About
Employee and Assets
Exploit Run – Comms
Established – Command &
Control Server
Move Laterally Across Network
Exfiltrate Data
Protection – Maint Mode
31. Regulatory and Legal
EU Data Privacy Directive
EU Network
Information
Security
Directive
European Convention on
Cybercrime
400+ Others
– 10,000+
Controls –
175 Legal
Jurisdictions
Your
Organisation
32. Responsibility – Convention Cybercrime
All organisations need to be aware of the Convention’s
provisions in article 12, paragraph 2:
‘ensure that a legal person can be held liable where the
lack of supervision or control by a natural person…has
made possible the commission of a criminal offence
established in accordance with this Convention’.
Now Sit Forward!
33. Cyber is a Strategic Issue
Strategic Level
Operational
Level
Technical Level
33
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?
34. Board Room Discussion
•Loss of market share and reputation
•Legal Exposure CEO
•Audit Failure
•Fines and Criminal Charges
•Financial Loss CFO/COO
•Loss of data confidentiality, CIO integrity and/or availability
CHRO •Violation of employee privacy
•Loss of customer trust
•Loss of brand reputation CMO
Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.